July 26, 2016 - We've covered the Neutrino and Magnitude exploit kits. Now we take a look at number #3, RIG EK and the different distribution paths using packet captures collected by our honeypot. The campaigns for distribution involve malvertising and compromised sites (much like all other EKs) but there is a notable diversity in how many different ways RIG EK is being loaded and the type of payloads it is serving.
July 19, 2016 - We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months.
Despite a global slowdown in exploit kit activity, this particular distribution channel has remained active and strong. In this post we take a look at some past and present indicators of compromise that show how fake identities remain an effective way to defeat ad platforms' security checks.
July 15, 2016 - The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Angler's continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.
July 4, 2016 - The last high profile malvertising activity we had seen was on June 7th with a drive-by download incident on Yahoo that used Neutrino EK instead of Angler EK. This was rather unusual and was later confirmed as not just an anomaly, by the switch of exploit campaigns to Neutrino, precisely around that same time frame. Attacks have been scarce since then, but we just spotted the same group, confirming it is still somewhat in business.
June 28, 2016 - Since the disappearance of Angler EK, exploit kit activity is at one of its lowest it has been in a long time. The focus is therefore on Neutrino EK, which has somewhat picked up the pieces, although at a much lower rate. In this post we look at a change recently noticed with the Flash exploit Neutrino uses, which now includes fingerprinting of the user's machine.